OpenSSL: Generate CSR & sign it for valid certificates (Kibana | Opensearch Dashboard| Wazuh Dashboard)
One common challenge when setting up Kibana, Wazuh Dashboard, or OpenSearch Dashboard is transitioning from self-signed certificates to publicly signed ones, ensuring browsers recognize your SSL connection as secure.
This write up describe how to achieve it using Openssl :
Create a temporary key:
openssl genrsa -out my-key-temp.pem 2048Convert Private Key to PKCS#8 Format:
openssl pkcs8 -inform PEM -outform PEM -in my-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out my-private-key.pemSave the key
my-private-key.pemas it will be used in the configuration
Create the openssl.cnf file where you specify the domain information:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = domain.com
DNS.2 = *.domain2.com
Generate the CSR certificate:
openssl req -new -key my-private-key.pem -out my-server.csr -config openssl.cnfSend the CSR to be signed or sign it if you have access to the CA as follows:
openssl x509 -req -in my-server.csr -CA /Path/to/Ca/root-ca.pem -CAkey /Path/to/Ca/root-ca.key -CAcreateserial -out myserver.pem -days 3650 -extfile openssl.cnf -extensions v3_reqThat should sign and generate the certificate myserver.pem
Now that you have the certificate myserver.pem and the key my-private-key.pem, You can use them as follows:
Wazuh Dashboard:
Copy the certificate under
/etc/wazuh-dashboard/certsSpecify the certificates within
/etc/wazuh-dashboard/opensearch_dashboards.yml
server.ssl.key: "/etc/wazuh-dashboard/certs/my-private-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/myserver.pem"Modify the permissions and ownership of the certificates:
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/
chmod -R 500 /etc/wazuh-dashboard/certs/
chmod 440 /etc/wazuh-dashboard/certs/my-private-key.pem /etc/wazuh-dashboard/certs/myserver.pemRestart the Wazuh dashboard service:
systemctl restart wazuh-dashboardOpensearch Dashboard:
Place the certificates under
/etc/opensearch-dashboards/certsSpecify them within
/etc/opensearch-dashboards/opensearch_dashboards.yml
server.ssl.key: "/etc/opensearch-dashboards/certs/my-private-key.pem"
server.ssl.certificate: "/etc/opensearch-dashboards/certs/myserver.pem"Modify the permissions and ownership of the certificates:
chown -R opensearch:opensearch /etc/opensearch-dashboards/
chmod -R 500 /etc/opensearch-dashboards/certs/
chmod 440 /etc/opensearch-dashboards/certs/my-private-key.pem /etc/opensearch-dashboards/certs/myserver.pemRestart the Wazuh dashboard service:
systemctl restart opensearch-dashboardKibana:
Copy the certificate under
/etc/kibana/certsSpecify them within
/etc/kibana/kibana.yml
server.ssl.certificate: /etc/kibana/certs/myserver.pem
server.ssl.key: /etc/kibana/certs/my-private-key.pemModify the permissions and ownership of the certificates:
chown -R kibana: /etc/kibana/certs
chmod -R 770 /etc/kibana/certsRestart the service:
systemctl restart kibana